jefferyxhy opened a new pull request, #915: URL: https://github.com/apache/struts/pull/915
WW-5417 bump the Ognl version to fix the security issue that `ObjectPropertyAccessor#setPossibleProperty` bypass SecurityMemberAccess right check. *********************** From [Ognl PR](https://github.com/orphan-oss/ognl/pull/263) *********************** `OgnlRuntime.setFieldValue` doesn't check member access rights via `MemberAccess` interface **Reason** * Investigation shows that `getMethodValue`/ `setMethodValue` / `getFieldValue` are all updated with member access rights check but not `setFieldValue`, which cause `ObjectPropertyAccessor#setPossibleProperty` expose to security vuln. * `ObjectPropertyAccessor#setPossibleProperty` has a fallback mechanism using `getWriteMethod` which also lack member access rights check **Changes/ Solution** * add field member access check to `OgnlRuntime#setFieldValue` that is controlled by parameter `checkAccessAndExistence` * add method member access check to `ObjectPropertyAccessor#setPossibleProperty` code block that uses `OgnlRuntime#getWriteMethod` **Result & Impact** now `ObjectPropertyAccessor#setPossibleProperty` will also check member access rights when fallback to use: * OgnlRuntime.setFieldValue * method invoke that is from OgnlRuntime.getWriteMethod -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
